Combatting APT with

NetFlow

Christopher Smithee
Lancope
Attack Evolution

Viruses (1990s)
Anti-Virus,
Firewalls

Worms (2000s)
Intrusion
Detection &
Prevention

Botnets (late 2000s to current)

DLP,
Application-aware
Firewalls, SIM

Directed Attacks (APT)

?????
A Small Portion of the Attacks

2012
The Environment - Once upon a time

Internet
VPN

DMZ

Internal
Network
The Mobile Computing Era

Internet
VPN

DMZ

Internal
Network
And now BYOD or IT Consumerization

Internet
VPN

DMZ

3G
Internet

Internal
4G
Internet
Network

3G
Internet
BYOD is Riskiest

 Difficult to find common AV or host

based IDS spanning platforms
 Reliant on employees to install them

 Cisco says 70 percent of young

workers ignore IT rules.
http://newsroom.cisco.com/press-release-content?type=webcontent&articleId=586267

 Over half of all IT leaders in the U.S.

say that employee-owned mobile
devices pose a greater risk to the
enterprise than mobile devices
supplied by the company.
NetFlow Analysis

 Low cost monitoring solution

– Uses outputs from existing infrastrucute
– Singe or small number of regional collectors support an infrastructure
– No agents
 Easy to configure
– Enabled on the devices
– No hardware to insert
 Present throughout the network
– Routers
– Switches
– Firewalls
– etc…
 Accounting data stores well
– Fractions of a percentage of storage needed for Packet Capture
– Common format means its easy to write to tables for analysis
 Internal Visibility Through NetFlow

NetFlow Packets
Internet src and dst ip

VPN src and dst port

NetFlow start time

end time
mac address
byte count
- more -
NetFlow NetFlow DMZ

NetFlow
3G
Internet
Internal
Network
NetFlow
NetFlow Collector
3G
Internet
Transactional Audits of ALL activities
Incident Investigation Using Flows

5 hour 6 Mbps ssh connection?

Incident Investigation Using Flows
Incident Investigation Using Flows
APT characteristics for the investigator

 An APT will generally involve:

– Information gathering via social media and Google search. It is via this that the
targets for the social engineering phase are identified.
– Exploit of common vulnerabilities in support of the above.
– Targeted social engineering attacks against identified users.
– Compromise of one or more internal machines and installation of remote control
software of some kind.
– Data mining from the inside.
– Exfiltration of data.

 Network-based APT detection boils down to discovering the command-and-

control connections, the data mining/data reconnaissance, and the exfiltration
activity. As with all attacks, success is measured by the time lapsed between
attack and discovery.

14
Command and Control

Remote Control:
Are My Hosts Controlled by External Systems?

15 © 2012 Lancope, Inc. All rights reserved.

Command and Control - Host Becomes Infected

 Internal host connects to a

malware infected website
– Downloads data infecting the
system
Internet/MPLS
 Method of detection
– Host Lock to known bad list

NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
NetFlow(Collector(
Communication to CNC

 Host communicates with

Command and Control network
for instructions
– Periodic phone home
Internet/MPLS

 Method of detection
– Host Lock to known bad list
– Suspect Long Flow and
Beaconing Host alarms
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
NetFlow(Collector(
Controlled Host Begins Network Activities

 Compromised host performs malicious

activities
– Attempts to compromise internal resources
(probing) Internet/MPLS

– Becomes a member of DDoS

– Data exfiltration to Internet
 Method of detection
NetFlow Packets
– Scanning detection (CI) src and dst ip
– DoS Monitoring src and dst port

– Suspect Data Loss start time

end time

NetFlow(Collector( mac address

byte count
- more -
Reconnaissance Detection

Reconnaissance/Scan Detection:
Are Hosts Trying to Find Resources to Compromise?

19 © 2012 Lancope, Inc. All rights reserved.

Traffic Analysis and Network Visibility

• Top N reports showing any time period across any Host Group
Flow-based Anomaly Detection
Scan Detection Visualized

22 © 2012 Lancope, Inc. All rights reserved.

Data Loss

Suspicious Data Loss Detection:

Is the Organization Losing Sensitive Information?

23 © 2012 Lancope, Inc. All rights reserved.

Manual Data Loss Detection

24 © 2012 Lancope, Inc. All rights reserved.

Manual Data Loss Detection - Drill Down

25 © 2012 Lancope, Inc. All rights reserved.

Automated Data Loss Detection

26 © 2012 Lancope, Inc. All rights reserved.

Automated Data Loss Detection (cont.)

27 © 2012 Lancope, Inc. All rights reserved.

Automated Data Loss Detection - Drill Downs

28 © 2012 Lancope, Inc. All rights reserved.

The Power of Flow

 Flow based Analytics provide new ways to look for:

– Covert Channels and Remote Controlled Hosts
– Data Reconnaissance
– Data Exfiltration
 Flow data provides a full accounting for all network traffic
 Device agnostic – Understanding device types can help flow tools provide
better context, but the data works for any system that uses IP to communicate
 No agents to be installed to understand host behavior or posture assessment
How can we make Flow Analysis Even Better?

 Cross correlating this data with Directory stores and/or NAC solutions
increases value by providing context

 While many times the users won’t be aware their machines are used to enact
the compromise, IRTs need to be able to quickly correlate this data to mitigate
risks.
– Accomplished through portals, SIEM integrations or directly in the flow analysis
tools themselves.
– Click throughs to reduce workflow are optimal
Behavioral Analysis and Host Profiling

 Host and host group baselining

31